我在让 Kerberos(Heimdal 版本)与 OpenLDAP 很好地协同工作方面遇到了一些麻烦。kerberos 数据库存储在 LDAP 本身中。KDC 使用 SASL EXTERNAL 身份验证作为根访问容器 ou。我希望这是适合这类问题的论坛。
我使用 在 LDAP 中创建了数据库kadmin -l
,但是它不允许我在没有 -l 标志的情况下使用 kadmin:
root@rds0:~# kadmin -l
kadmin> list *
krbtgt/REALM
kadmin/changepw
kadmin/admin
changepw/kerberos
kadmin/hprop
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
default
brian.empson
brian.empson/admin
host/rds0.example.net
ldap/rds0.example.net
host/localhost
kadmin> exit
root@rds0:~# kadmin
kadmin> list *
brian.empson/admin@REALM's Password: <----- With right password
kadmin: kadm5_get_principals: Key table entry not found
kadmin> list *
brian.empson/admin@REALM's Password: <------ With wrong password
kadmin: kadm5_get_principals: Already tried ENC-TS-info, looping
kadmin>
我可以毫无问题地买到票:
root@rds0:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: brian.empson@REALM
Issued Expires Principal
Nov 11 14:14:40 2012 Nov 12 00:14:37 2012 krbtgt/REALM@REALM
Nov 11 14:40:35 2012 Nov 12 00:14:37 2012 ldap/rds0.example.net@REALM
但我似乎无法更改自己的密码kadmin -l
:
root@rds0:~# kpasswd
brian.empson@REALM's Password: <---- Right password
New password:
Verify password - New password:
Auth error : Authentication failed
root@rds0:~# kpasswd
brian.empson@REALM's Password: <---- Wrong password
kpasswd: krb5_get_init_creds: Already tried ENC-TS-info, looping
kadmin 的日志根本没有帮助:
2012-11-11T13:48:33 krb5_recvauth: Key table entry not found
2012-11-11T13:51:18 krb5_recvauth: Key table entry not found
2012-11-11T13:53:02 krb5_recvauth: Key table entry not found
2012-11-11T14:16:34 krb5_recvauth: Key table entry not found
2012-11-11T14:20:24 krb5_recvauth: Key table entry not found
2012-11-11T14:20:44 krb5_recvauth: Key table entry not found
2012-11-11T14:21:29 krb5_recvauth: Key table entry not found
2012-11-11T14:21:46 krb5_recvauth: Key table entry not found
2012-11-11T14:23:09 krb5_recvauth: Key table entry not found
2012-11-11T14:45:39 krb5_recvauth: Key table entry not found
KDC 报告两个帐户均已成功验证:
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:48:03 sending 294 bytes to IPv4:192.168.72.10
2012-11-11T14:48:03 AS-REQ brian.empson@REALM from IPv4:192.168.72.10 for kadmin/changepw@REALM
2012-11-11T14:48:03 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:48:03 Looking for PK-INIT(ietf) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for PK-INIT(win2k) pa-data -- brian.empson@REALM
2012-11-11T14:48:03 Looking for ENC-TS pa-data -- brian.empson@REALM
2012-11-11T14:48:03 ENC-TS Pre-authentication succeeded -- brian.empson@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 ENC-TS pre-authentication succeeded -- brian.empson@REALM
2012-11-11T14:48:03 AS-REQ authtime: 2012-11-11T14:48:03 starttime: unset endtime: 2012-11-11T14:53:00 renew till: unset
2012-11-11T14:48:03 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:48:03 sending 704 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
2012-11-11T14:45:39 sending 303 bytes to IPv4:192.168.72.10
2012-11-11T14:45:39 AS-REQ brian.empson/admin@REALM from IPv4:192.168.72.10 for kadmin/admin@REALM
2012-11-11T14:45:39 Client sent patypes: ENC-TS, REQ-ENC-PA-REP
2012-11-11T14:45:39 Looking for PK-INIT(ietf) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for PK-INIT(win2k) pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 Looking for ENC-TS pa-data -- brian.empson/admin@REALM
2012-11-11T14:45:39 ENC-TS Pre-authentication succeeded -- brian.empson/admin@REALM using aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 ENC-TS pre-authentication succeeded -- brian.empson/admin@REALM
2012-11-11T14:45:39 AS-REQ authtime: 2012-11-11T14:45:39 starttime: unset endtime: 2012-11-11T15:45:39 renew till: unset
2012-11-11T14:45:39 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2012-11-11T14:45:39 sending 717 bytes to IPv4:192.168.72.10
我希望有更详细的日志消息,在调试模式下运行 kadmind似乎到几乎可以工作,但是当我输入正确的密码时,它只会将我踢回 shell。
通过 LDAP 的 GSSAPI 也不起作用,但我怀疑这是因为 kerberos 的某些部分也不起作用:
root@rds0:~# ldapsearch -Y GSSAPI -H ldaps:/// -b "o=mybase" o=mybase
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()
root@rds0:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b "o=mybase" o=mybase
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
<snip>